Hackers have access to datacenter support credentials in Asia

Masked Hacker in a Hoodie Standing in Corporate Data Center
Sheila Zabeu -

February 25, 2023

Hackers have obtained access credentials to datacenters in Asia that serve some of the world’s largest companies. Part of the stolen data included email addresses and passwords to support websites for two major Asian datacenter operators, Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centers, according to Resecurity Inc, which provides cybersecurity and hacker investigation services.

According to a Bloomberg story, about 2,000 GDS and STT GDC customers were affected, including Alibaba, Amazon, Apple, BMW, Goldman Sachs Group, Huawei Technologies, Microsoft, and Walmart. The hackers accessed the accounts of at least five of them, including China’s leading foreign exchange and debt trading platform and four others from India, according to Resecurity, which said it had infiltrated the hacker group.

The two carriers say the stolen credentials pose no risk to IT systems or customer data. However, Resecurity and executives from the four large US companies affected said the theft of these credentials are an unusual and serious danger, especially as support sites often control who is allowed to access IT equipment hosted in datacenters.

The Bloomberg story highlights that the hackers had access to the login credentials for more than a year before putting them up for sale on the Dark Web in January 2023 for $175,000. According to Resecurity, stolen email addresses and passwords may have been used by the hackers to access customer accounts at GDS and ST Telemedia in January, when the two datacenter operators forced customers to reset passwords.

In its blog, Resecurity says it has notified several datacenter operators of malicious cyber activity. The first alert was sent in September 2021, with update notes throughout 2022 and January 2023. Recent cyberattacks on cloud service providers (CSPs) and managed service providers (MSPs) attempt to exploit vulnerabilities in the cybersecurity supply chain aimed at stealing confidential data from target companies. Datacenters are potential victims for attackers as they are a significant element in the corporate supply chain, Resecurity highlights.

Agents are likely to target helpdesk and customer service systems, ticket management applications and support portals. Equipment is also targeted, including closed-circuit TVs and cameras. Email accounts belonging to datacenter IT staff and their customers are also potential targets.

Resecurity predicts that intrusions and other malicious cyber activities related to datacenters and their customers are expected to grow in the future. Adequate measures must be in place to mitigate attack vectors across the IT and OT supply chain. It is also crucial to maintain transparent communication with suppliers about potential cybersecurity incidents involving customer accounts and associated data.

Datacenter security

security/top-5-data-center-security-risks-2023" target="_blank" rel="noopener">Cyber security experts warn that malicious agents are circumventing traditional protection techniques in datacenters and that it is therefore necessary to monitor the evolution of risks in these environments.

In particular, John Dwyer, head of research for the IBM Security X-Force, predicts that cybercriminals are likely to turn more specifically to the MFA and EDR technologies used for multifactor authentication and endpoint detection and response, respectively. Faced with this challenge, datacenter security administrators will need to be more proactive and get ahead of the curve against attackers who are managing to bypass non-phishing-resistant MFA systems and enhance EDR evasion techniques.

In addition, the physical security of datacenters must not be forgotten. The Operational Technologies (OT) essential for these environments are also vulnerable to attack. The management systems of this physical infrastructure are exposed on the Internet, opening the way for attackers to manipulate cooling systems and cause server overheating incidents, for example. They can also prevent backup processes from shutting down UPSs.

In addition, today’s datacenters widely use smart, internet-connected devices and IoT sensors in various control activities, from temperature monitoring to surveillance and access control systems. These are all potential sources of vulnerability and cannot be overlooked when talking about datacenter security. These devices can be hijacked and used in cyber attacks.